±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35868
New Yesterday: 3 Visitors: 151

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

mft2csv - NTFS systemfile extracter and $MFT decoder

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

CyberGonzo
Senior Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 06, 12 16:24

Oops, I was staring at page one and had no idea 2 more pages followed the dicussion Smile

Quickly scanned the content and I now see mention of fixup for INDX blocks as well ?

Do I have to correct these blocks as well before processing them ?  
 
  

joakims
Senior Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 07, 12 03:35

@CyberGonzo
No need for worrying about INDX for $MFT parsing, I belive. It was just mentioned to show how the fixup arrays are built up and relates to the $Logfile.
_________________
Joakim Schicht

github.com/jschicht 
 
  

CyberGonzo
Senior Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 08, 12 01:05

@Joakim

No, Ddan was right.
I now 'fixup' INDX structures too and it has 'fixed' a few issues, such as incomprehensibly corrupted filenames etc.

PS. I'm not getting emails anymore when sombody posts in these threads. Is this just me or is there a site malfunction ?  
 
  

Ddan
Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 08, 12 05:52

@CyberGonzo

Sorry for not replying sooner.

As far as I am aware fixup is used in mft records, indx records and logfile records. Whichever set you are processing, fixup needs to be done on that set. As you have noted, not doing fixup can cause all sorts of bizarre issues.

With the count of fixup words, since fixup is done on a sector by sector basis, you need one word for each sector in the record plus one control word.

Ddan  
 
  

Ddan
Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 08, 12 05:55

@CyberGonzo

Sorry for not replying sooner.

As far as I am aware fixup is used in mft records, indx records and logfile records. Whichever set you are processing, fixup needs to be done on that set. As you have noted, not doing fixup can cause all sorts of bizarre issues.

With the count of fixup words, since fixup is done on a sector by sector basis, you need one word for each sector in the record plus one control word.

Ddan  
 
  

CyberGonzo
Senior Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 08, 12 15:07

Thanks Ddan  
 
  

joakims
Senior Member
 

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Feb 12, 12 01:35

Anyone knows what the 4 byte signature is for, that is found right after the record end marker (0xFFFFFFFF)?
_________________
Joakim Schicht

github.com/jschicht 
 

Page 5 of 10
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next